ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Wide ransomware virus infection sourced from 3rd party IT's remote agents.

    Scheduled Pinned Locked Moved News
    17 Posts 7 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • FredtxF
      Fredtx @WLS-ITGuy
      last edited by

      @WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

      @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

      @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

      @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

      We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

      If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

      Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

      dafyreD 1 Reply Last reply Reply Quote 0
      • dafyreD
        dafyre @Fredtx
        last edited by

        @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

        @WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

        @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

        @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

        @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

        We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

        If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

        Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

        That would protect against a breached password, but if the vulnerability lies in the agent, I don't think 2FA would matter.

        DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 3
        • DashrenderD
          Dashrender @dafyre
          last edited by

          @dafyre said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

          @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

          @WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

          @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

          @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

          @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

          We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

          If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

          Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

          That would protect against a breached password, but if the vulnerability lies in the agent, I don't think 2FA would matter.

          Yeps, just like the vulnerability in RDP a few weeks ago is in the protocol, has nothing to do with the password - it's simply bypassed.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @WLS-ITGuy
            last edited by

            @WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

            @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

            @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

            @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

            We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

            If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

            Yes and no. Certainly core responsibility would fall there, but there is also a selection responsibility from the MSP's side of things, too. You can't willfully choose tools irresponsibly and not be accountable. Not that they did, we don't know anything here. Just saying that bad software doesn't excuse the IT team that chose it.

            As IT people, recommending and choosing good products is a huge part of what we are responsible for.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Fredtx
              last edited by

              @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

              @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

              @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

              We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

              So many different MSPs, but they all shared one tool?

              FredtxF 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @dafyre
                last edited by

                @dafyre said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                @WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

                Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

                That would protect against a breached password, but if the vulnerability lies in the agent, I don't think 2FA would matter.

                That's correct, it would not.

                1 Reply Last reply Reply Quote 0
                • FredtxF
                  Fredtx @scottalanmiller
                  last edited by

                  @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                  @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                  @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                  @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                  We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                  So many different MSPs, but they all shared one tool?

                  It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Fredtx
                    last edited by

                    @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                    @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                    @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                    @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                    @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                    We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                    So many different MSPs, but they all shared one tool?

                    It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

                    What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

                    FredtxF 1 Reply Last reply Reply Quote 2
                    • FredtxF
                      Fredtx @scottalanmiller
                      last edited by

                      @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                      @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                      @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                      @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                      @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                      @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                      We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                      So many different MSPs, but they all shared one tool?

                      It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

                      What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

                      I was told it was Connect Wise.

                      JaredBuschJ 1 Reply Last reply Reply Quote 1
                      • JaredBuschJ
                        JaredBusch @Fredtx
                        last edited by

                        @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                        @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                        @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                        @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                        @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                        @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                        @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                        We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                        So many different MSPs, but they all shared one tool?

                        It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

                        What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

                        I was told it was Connect Wise.

                        Old and Unpatched, or weak passwords then.

                        scottalanmillerS 1 Reply Last reply Reply Quote 1
                        • scottalanmillerS
                          scottalanmiller @JaredBusch
                          last edited by

                          @JaredBusch said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                          @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                          @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                          @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                          @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                          @Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                          @scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

                          @Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

                          We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

                          So many different MSPs, but they all shared one tool?

                          It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

                          What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

                          I was told it was Connect Wise.

                          Old and Unpatched, or weak passwords then.

                          Likely. Attach probably came through an MSP workstation.

                          1 Reply Last reply Reply Quote 1
                          • 1 / 1
                          • First post
                            Last post